Archive for the 'Active Directory' Category

Let’s say you have a SharePoint farm running in your DMZ, part of EXTERNAL domain. There is also an internal domain called INTERNAL. There is a one-way trust from EXTERNAL to INTERNAL domain – External trusts Internal. You are trying to add a user from INTERNAL to your EXTERNAL SharePoint 2010 site and grant them permission, and you’re getting the following error:

However, the error persists – still getting the same error! What gives?

The command is not correct – make sure that you use the proper terms for your AD configuration.
In my case, instead of “domain:internal.domain.com”, I had to use “forest:internal.domain.com”. Here’s the full command:

However, out of the box in SharePoint, you can’t set up a mapping from Active Directory to SharePoint and retrieve a list of AD groups that the user belongs to. Active Directory stores this information in the memberOf property of the user account; however, this property cannot be mapped to a SharePoint profile property. (See this TechNet forum post for more details.)

Solution:

You can set up a custom property in SharePoint and run a PowerShell script which will update your SharePoint user profiles with the memberOf value from AD. I tested this solution in our Dev environment with over 2,000 SharePoint profiles and it worked as expected.

2. Create a new custom property (mine is called “ADSecurityGroups”). Make sure to specify sufficient field length (I used 255), and leave “Allow multiple values” checkbox cleared.

When finished entering values, click OK.

4. Create the following PowerShell script and modify it with your values for $ADdomain, $siteUrl, $SSP, and $propName. Execute the script using a domain account with Read access to AD and farm administrator access to SharePoint. If you copy and paste the script, check for wrapping code.

This script will have to be executed regularly (nightly) as a scheduled task on your SharePoint server, to keep your SharePoint profile properties sync’d with AD.

Warning: Make sure to test this script carefully in your TEST environment, before executing in Production!

There are times when a network admin or developer needs to access certain properties of Active Directory user accounts, and some of the properties may not visible in the MMC console. But how do you know which properties and methods are available for the User object in AD? It can be quite difficult to find documentation on this topic, but there is a site on MSDN which lists all methods and properties for the IDSUser object available through ADSI for access through scripts and applications:

What this section does not tell you is what are the types of these fields – string, array, etc. For example, the Description field is not a string, it’s a an array of strings. If you try to access an array field with a script that uses a string variable, it will inevitably fail.

How do you find that out? You can find it out by running WMI CIM Studio on your server. Download it here: